8 Ways To Secure WordPress With .htaccess

Every CMS is susceptible to hacking, even WordPress - our support team deal with hacked WordPress sites on a frequent basis. However there are a number of precautions that can be taken to harden security and keep WordPress protected, most of which are often either overlooked or even unheard of.

We’ve listed five ways to keep WordPress secure before, and also highlighted a number of <a href+"="" blog="" 20-wordpress-mistakes-you-could-be-making"="" target="_blank">common mistakes WordPress users make, and how to avoid and rectify them. An area that we’re yet to explore is how to leverage .htaccess to harden your WordPress site against hackers.

What is an .htaccess file?

The .htaccess file allows you to make configuration changes to your site, or to a specific directory they are placed in. You can do a number of things to control the behaviour of your site using this file such as set up redirects, password protect directories and add custom error pages. You can make changes to your .htaccess files using FTP. The . (dot) before htaccess indicates that it’s a hidden file.

How to modify the WordPress .htaccess file

Note: This guide is intended for non-multisite WordPress installs.

The .htaccess file for WordPress can be found within your public_html directory. If you use the Yoast SEO plugin, you can also view and edit your .htaccess file through the 'Edit Files' section of the plugin’s settings.

The WordPress .htaccess file doesn’t actually exist upon initial installation, but is created when you change your site’s permalink structure, as recommended, through the admin area. Changes are then automatically written to the .htaccess file by some plugins and by WordPress itself.

It’s important that changes you make are written outside of:

`# BEGIN WordPress
[WordPress data]
# END WordPress`

If you don't do this, your changes may be overwritten by WordPress. The same applies for plugin data.

And a word of caution: be careful - a simple mistake when editing your .htaccess files can be problematic; for instance it’s possible to lock yourself out of your site or take your entire site offline. The Cloud takes 30 days of backups automatically, but as best practice we recommend taking a backup of your data before editing .htaccess files yourself.

If you lack coding knowledge, and you’re not confident in accessing this file, the WP htaccess Control plugin provides an easier interface for editing it. Once installed, go to htaccess suggestions and harden your security through here.

How to harden WordPress with .htaccess

1. Protect wp-config.php

wp-config is an important file in your root directory that houses sensitive information regarding the database, including the username, password and host name. It provides the link between WordPress and MySQL. To ensure this data does not fall into the wrong hands, add the following snippet to prevent access to wp-config.php:

`
order allow,deny
deny from all
`

Outside of the .htaccess, we also recommend setting ‘600’ permissions on the wp-config.php file to prevent any possibility of it being read by another user on the same system as you. This can be done in the File Manager or via FTP.

2. Secure wp-includes

There are a number of scripts in WordPress that nobody will ever need to touch. You can block include-only files through .htaccess using the following code:

3. Access only by IP

If you only access your WordPress admin area from the same location, you may want to limit access to your IP address only. To do this you’ll need to add a small snippet of code to the .htaccess file in the wp-admin directory. If this doesn’t exist don’t worry, simply add one yourself through FTP. Add the following code:

6. Prevent directory browsing

Nowadays people are more than comfortable with the WordPress structure and should you have directory browsing enabled on your site they are able to see what plugins you have installed and other file details. To protect this information, prevent directory browsing by simply adding one line:

`Options -Indexes`

7. Disable hotlinking

As covered in our post about speeding up WordPress, hot-linking is when site owners’ use your files by linking to them on your site, eating up your disk space and bandwidth, and potentially slowing your site down. This may not be in the realm of security per se, but it’s definitely worth protecting against. These four lines will prevent hot-linking to your site:

* Please click here to view all Terms & Conditions relating to this, and other promotions. Tsohost reserves the rights to cancel or edit promotions at any time. Standard Terms & Conditions still apply.